| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <rionzgtulanvxm4rgzofirnucrfio2azzeic6nqa67l2kzvu24@oesvlq22ndwd>
Date: Wed, 22 Oct 2025 12:04:46 +0100
From: Adrián Larumbe <adrian.larumbe@...labora.com>
To: Akash Goel <akash.goel@....com>
Cc: linux-kernel@...r.kernel.org, dri-devel@...ts.freedesktop.org,
Steven Price <steven.price@....com>, Boris Brezillon <boris.brezillon@...labora.com>,
kernel@...labora.com, Liviu Dudau <liviu.dudau@....com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>,
Simona Vetter <simona@...ll.ch>
Subject: Re: [PATCH] drm/panthor: Support partial unmaps of huge pages
On 22.10.2025 10:05, Adrián Larumbe wrote:
> On 22.10.2025 05:45, Akash Goel wrote:
> >
> >
> > On 10/21/25 18:39, Adrián Larumbe wrote:
> > > Hi Akash,
> > >
> > > On 21.10.2025 15:32, Akash Goel wrote:
> > > >
> > > >
> > > > On 10/19/25 04:19, Adrián Larumbe wrote:
> > > > > Commit 33729a5fc0ca ("iommu/io-pgtable-arm: Remove split on unmap
> > > > > behavior") did away with the treatment of partial unmaps of huge IOPTEs.
> > > > >
> > > >
> > > > Sorry have a doubt.
> > > >
> > > > Corresponding to the commit 33729a5fc0ca, can we now remove the code to
> > > > pre-allocate L3 page table pages i.e. 'op_ctx->rsvd_page_tables.pages' inside
> > > > panthor_vm_prepare_unmap_op_ctx() ?.
> > > >
> > > > > In the case of Panthor, that means an attempt to run a VM_BIND unmap
> > > > > operation on a memory region whose start address and size aren't 2MiB
> > > > > aligned, in the event it intersects with a huge page, would lead to ARM
> > > > > IOMMU management code to fail and a warning being raised.
> > > > >
> > > > > Presently, and for lack of a better alternative, it's best to have
> > > > > Panthor handle partial unmaps at the driver level, by unmapping entire
> > > > > huge pages and remapping the difference between them and the requested
> > > > > unmap region.
> > > > >
> > > > > This could change in the future when the VM_BIND uAPI is expanded to
> > > > > enforce huge page alignment and map/unmap operational constraints that
> > > > > render this code unnecessary.
> > > > >
> > > > > Signed-off-by: Adrián Larumbe <adrian.larumbe@...labora.com>
> > > > > ---
> > > > > drivers/gpu/drm/panthor/panthor_mmu.c | 129 +++++++++++++++++++++++++-
> > > > > 1 file changed, 126 insertions(+), 3 deletions(-)
> > > > >
> > > > > diff --git a/drivers/gpu/drm/panthor/panthor_mmu.c b/drivers/gpu/drm/panthor/panthor_mmu.c
> > > > > index 2d041a2e75e9..f9d200e57c04 100644
> > > > > --- a/drivers/gpu/drm/panthor/panthor_mmu.c
> > > > > +++ b/drivers/gpu/drm/panthor/panthor_mmu.c
> > > > > @@ -2093,6 +2093,98 @@ static int panthor_gpuva_sm_step_map(struct drm_gpuva_op *op, void *priv)
> > > > > return 0;
> > > > > }
> > > > > +static bool
> > > > > +is_huge_page_partial_unmap(const struct panthor_vma *unmap_vma,
> > > > > + const struct drm_gpuva_op_map *op,
> > > > > + u64 unmap_start, u64 unmap_range,
> > > > > + u64 sz2m_prev, u64 sz2m_next)
> > > > > +{
> > > > > + size_t pgcount, pgsize;
> > > > > + const struct page *pg;
> > > > > + pgoff_t bo_offset;
> > > > > +
> > > > > + if (op->va.addr < unmap_vma->base.va.addr) {
> > > >
> > > >
> > > > Sorry, another doubt.
> > > >
> > > > Will this condition ever be true ?
> > > >
> > > > For 'op->remap.prev', 'op->va.addr' will always be equal to
> > > > 'unmap_vma->base.va.addr'.
> > >
> > > I believe it will always be less than that.
> >
> >
> > Thanks Adrian for having a look.
> >
> > static int panthor_gpuva_sm_step_remap(struct drm_gpuva_op *op,
> > {
> > struct panthor_vma *unmap_vma = container_of(op->remap.unmap->va, struct
> > panthor_vma, base);
> >
> >
> > IIUC, the 'unmap_vma' passed to panthor_gpuva_sm_step_remap() will always
> > cover the entire VA range of 'drm_gpuva'.
> > That's why drm_gpuva_op_remap_to_unmap_range() is called to know the exact
> > range to be unmapped.
> >
> > In __drm_gpuvm_sm_unmap() and __drm_gpuvm_sm_map(), you can see this,
> >
> > struct drm_gpuva_op_unmap u = { .va = va };
> >
> >
> > > What will be equal to unmap_vma->base.va.addr is op->remap.prev->va.addr +
> > op->remap.prev->va.range
> >
> >
> > I think op->remap.prev->va.addr + op->remap.prev->va.range will be equal to
> > 'unmap_start' after the call to drm_gpuva_op_remap_to_unmap_range().
> >
> > Sorry I may have again misunderstood the code.
>
> I had a second look __drm_gpuvm_sm_unmap() and you're right. I should've said it's always
> the case that op->va.addr < unmap_start inside is_huge_page_partial_unmap.
>
> This is a bug and it makes me wonder why when I ran some tests, the unmap intervals
> I got seemed fine. I'll go try again and also test Boris' implementation suggestion.
Turns out the reason the code worked was all the testing I've done is
over previous mappings that were always a multiple of 2MiB in length, so
even when the op in question was previous to the original 'unmap' one
and 'if (op->va.addr < unmap_vma->base.va.addr) evaluated to false', the
ending address of next.va would also belong to a 2MiB huge page, so the
condition would still hold.
This is a glaring bug and would show up when the end address of
remap->next.va doesn't belong to a huge page. This means I need to
provide a more detailed testing plan for the next revision.
> > Please can you check.
> >
> > Best regards
> > Akash
> >
> >
> > > > And for 'op->remap.next', 'op->va.addr' will always be greater than
> > > > 'unmap_vma->base.va.addr'.
> > >
> > > Yes, I believe so.
> > >
> > > > Please can you clarify.
> > > >
> > > > Best regards
> > > > Akash
> > > >
> > > >
> > > > > + bo_offset = unmap_start - unmap_vma->base.va.addr + unmap_vma->base.gem.offset;
> > > > > + sz2m_prev = ALIGN_DOWN(unmap_start, SZ_2M);
> > > > > + sz2m_next = ALIGN(unmap_start + 1, SZ_2M);
> > > > > + pgsize = get_pgsize(unmap_start, unmap_range, &pgcount);
> > > > > +
> > > > > + } else {
> > > > > + bo_offset = ((unmap_start + unmap_range - 1) - unmap_vma->base.va.addr)
> > > > > + + unmap_vma->base.gem.offset;
> > > > > + sz2m_prev = ALIGN_DOWN(unmap_start + unmap_range - 1, SZ_2M);
> > > > > + sz2m_next = ALIGN(unmap_start + unmap_range, SZ_2M);
> > > > > + pgsize = get_pgsize(sz2m_prev, unmap_start + unmap_range - sz2m_prev, &pgcount);
> > > > > + }
> > > > > +
> > > > > + pg = to_panthor_bo(unmap_vma->base.gem.obj)->base.pages[bo_offset >> PAGE_SHIFT];
> > > > > +
> > > > > + if (pgsize == SZ_4K && folio_order(page_folio(pg)) == PMD_ORDER &&
> > > > > + unmap_vma->base.va.addr <= sz2m_prev && unmap_vma->base.va.addr +
> > > > > + unmap_vma->base.va.range >= sz2m_next)
> > > > > + return true;
> > > > > +
> > > > > + return false;
> > > > > +}
> > > > > +
> > > > > +struct remap_params {
> > > > > + u64 prev_unmap_start, prev_unmap_range;
> > > > > + u64 prev_remap_start, prev_remap_range;
> > > > > + u64 next_unmap_start, next_unmap_range;
> > > > > + u64 next_remap_start, next_remap_range;
> > > > > + u64 unmap_start, unmap_range;
> > > > > +};
> > > > > +
> > > > > +static struct remap_params
> > > > > +get_map_unmap_intervals(const struct drm_gpuva_op_remap *op,
> > > > > + const struct panthor_vma *unmap_vma)
> > > > > +{
> > > > > + u64 unmap_start, unmap_range, sz2m_prev, sz2m_next;
> > > > > + struct remap_params params = {0};
> > > > > +
> > > > > + drm_gpuva_op_remap_to_unmap_range(op, &unmap_start, &unmap_range);
> > > > > +
> > > > > + if (op->prev) {
> > > > > + sz2m_prev = ALIGN_DOWN(unmap_start, SZ_2M);
> > > > > + sz2m_next = ALIGN(unmap_start + 1, SZ_2M);
> > > > > +
> > > > > + if (is_huge_page_partial_unmap(unmap_vma, op->prev, unmap_start,
> > > > > + unmap_range, sz2m_prev, sz2m_next)) {
> > > > > + params.prev_unmap_start = sz2m_prev;
> > > > > + params.prev_unmap_range = SZ_2M;
> > > > > + params.prev_remap_start = sz2m_prev;
> > > > > + params.prev_remap_range = unmap_start & (SZ_2M - 1);
> > > > > +
> > > > > + u64 diff = min(sz2m_next - unmap_start, unmap_range);
> > > > > +
> > > > > + unmap_range -= diff;
> > > > > + unmap_start += diff;
> > > > > + }
> > > > > + }
> > > > > +
> > > > > + if (op->next) {
> > > > > + sz2m_prev = ALIGN_DOWN(unmap_start + unmap_range - 1, SZ_2M);
> > > > > + sz2m_next = ALIGN(unmap_start + unmap_range, SZ_2M);
> > > > > +
> > > > > + if (is_huge_page_partial_unmap(unmap_vma, op->next, unmap_start,
> > > > > + unmap_range, sz2m_prev, sz2m_next)) {
> > > > > + if (unmap_range) {
> > > > > + params.next_unmap_start = sz2m_prev;
> > > > > + params.next_unmap_range = SZ_2M;
> > > > > + unmap_range -= op->next->va.addr & (SZ_2M - 1);
> > > > > + }
> > > > > +
> > > > > + params.next_remap_start = op->next->va.addr;
> > > > > + params.next_remap_range = SZ_2M - (op->next->va.addr & (SZ_2M - 1));
> > > > > + }
> > > > > + }
> > > > > +
> > > > > + params.unmap_start = unmap_start;
> > > > > + params.unmap_range = unmap_range;
> > > > > +
> > > > > + return params;
> > > > > +}
> > > > > +
> > > > > static int panthor_gpuva_sm_step_remap(struct drm_gpuva_op *op,
> > > > > void *priv)
> > > > > {
> > > > > @@ -2100,20 +2192,51 @@ static int panthor_gpuva_sm_step_remap(struct drm_gpuva_op *op,
> > > > > struct panthor_vm *vm = priv;
> > > > > struct panthor_vm_op_ctx *op_ctx = vm->op_ctx;
> > > > > struct panthor_vma *prev_vma = NULL, *next_vma = NULL;
> > > > > - u64 unmap_start, unmap_range;
> > > > > + struct remap_params params;
> > > > > int ret;
> > > > > - drm_gpuva_op_remap_to_unmap_range(&op->remap, &unmap_start, &unmap_range);
> > > > > - ret = panthor_vm_unmap_pages(vm, unmap_start, unmap_range);
> > > > > + /*
> > > > > + * ARM IOMMU page table management code disallows partial unmaps of huge pages,
> > > > > + * so when a partial unmap is requested, we must first unmap the entire huge
> > > > > + * page and then remap the difference between the huge page minus the requested
> > > > > + * unmap region. Calculating the right offsets and ranges for the different unmap
> > > > > + * and map operations is the responsibility of the following function.
> > > > > + */
> > > > > + params = get_map_unmap_intervals(&op->remap, unmap_vma);
> > > > > +
> > > > > + ret = panthor_vm_unmap_pages(vm, params.unmap_start, params.unmap_range);
> > > > > if (ret)
> > > > > return ret;
> > > > > if (op->remap.prev) {
> > > > > + ret = panthor_vm_unmap_pages(vm, params.prev_unmap_start,
> > > > > + params.prev_unmap_range);
> > > > > + if (ret)
> > > > > + return ret;
> > > > > + ret = panthor_vm_map_pages(vm, params.prev_remap_start,
> > > > > + flags_to_prot(unmap_vma->flags),
> > > > > + to_drm_gem_shmem_obj(op->remap.prev->gem.obj)->sgt,
> > > > > + op->remap.prev->gem.offset, params.prev_remap_range);
> > > > > + if (ret)
> > > > > + return ret;
> > > > > +
> > > > > prev_vma = panthor_vm_op_ctx_get_vma(op_ctx);
> > > > > panthor_vma_init(prev_vma, unmap_vma->flags);
> > > > > }
> > > > > if (op->remap.next) {
> > > > > + ret = panthor_vm_unmap_pages(vm, params.next_unmap_start,
> > > > > + params.next_unmap_range);
> > > > > + if (ret)
> > > > > + return ret;
> > > > > +
> > > > > + ret = panthor_vm_map_pages(vm, params.next_remap_start,
> > > > > + flags_to_prot(unmap_vma->flags),
> > > > > + to_drm_gem_shmem_obj(op->remap.next->gem.obj)->sgt,
> > > > > + op->remap.next->gem.offset, params.next_remap_range);
> > > > > + if (ret)
> > > > > + return ret;
> > > > > +
> > > > > next_vma = panthor_vm_op_ctx_get_vma(op_ctx);
> > > > > panthor_vma_init(next_vma, unmap_vma->flags);
> > > > > }
> > > > >
> > > > > base-commit: 7fb19ea1ec6aa85c75905b1fd732d50801e7fb28
> > > > > prerequisite-patch-id: 3b0f61bfc22a616a205ff7c15d546d2049fd53de
> > >
> > > Adrian Larumbe
Powered by blists - more mailing lists